This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

Zscaler IPSec tunnel over Palo alto SD WAN

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Zscaler IPSec tunnel over Palo alto SD WAN

Raaj.Mohan
L0 Member

‎07-10-2025 08:55 AM

Hi,

 

Sorry for the long post.

We have migrated from ASA to Palo alto firewall 445. 

We have Zscaler tunnel from Palo alto with PBF however monitoring was failing to switch over. We have second circuit now, tried to do ECMP with the tunnel interface and nothing worked.

 

I have added the default route to tunnel (and higher metric to DIA) and changed the PBF policy to select no pbf however the traffic wasn’t going through the tunnel as I have added a monitoring on the static route pointed to Zscaler public ip (tried peer as well as vip address). Monitoring on the static route showed down and PBF was showing up.

I have added tunnel ip address into the encryption domain and the static route monitoring came up, still the traffic wasn’t going through the Zscaler tunnel although the default route is pointed to Zscaler tunnel.

To avoid another failed change, I have removed the static route pointed to the tunnel and added pbf pointed to the tunnel interface as described on the Zscaler documentation and it started working.
https://help.zscaler.com/zia/ipsec-vpn-configuration-guide-palo-alto-networks-firewall#createtunnelm... (I know this is older Palo alto version, probably 8.x however this is the link they shared with us)

I did a failover on the Zscaler tunnel by changing the peer ip address to 1.1.1.1. it didn’t failover to routing table although the tunnel interface shows down and the site went down.
Right now, if the tunnel goes down, we should manually disable the Zscaler PBF to get internet working.

After few hours, TAC team shared an article which says that we cannot use the public ip address to monitor on the tunnel interface with private ip address. They have asked me to speak with SE as it’s a new design and closed the call.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClqvCAC

So decided to go with SD WAN on palo alto and would like to know a simple configuration for a small site with no hub and spoke topology.

Each site goes to internet directly over zscaler and a tunnel to azure bypassing the zscaler on HA Active/Standby firewall over SDWAN (Palo alto and not Prisma). Probably if someone can help me with a simple configuration to configure the firewall through Panorama that will be helpful.

 

Thanks,

 

Raaj

 

 

Preview file
423 KB
0 Likes Likes
0 REPLIES 0
  • 629 Views
  • 0 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks